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ABSTRACT 


Meo thesis abplies the state of the art techniques for 
methodical design of secure operating systems to a 
ei outed, pulti microprocessor enyi- onmeat. Explicit 
process Structure and utilization of virtual environments 
are the fundamental concepts that form a basis for the 
Besen presented. The primary design techniques utilized in 
the design are segmentation, distributed overating system, 
security kernel, multiprocessing, cache memory strategy 
and multiprogramming. The resulting design is for a family 
of distribduted operating systems that can provide the Dower 
of yesterdays large computer in a Microprocessor 
environment. Security, configuration independence, and a 
tree structure are the primary characteristics of the 
desisn. The design, although hardware independent, was 
formulated with tne Zilog 7280689 or similar microprocessor in 


mind. 
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R INTRODUCTION 


The microprocessors available today are affordable and 
powerful computing devices. Applying these resources to 
various applications, especially those requiring multiple 
microprocessors, presents a formidable problem. The solution 
to this problem is a family of operating systems to 
effectively orchestrate processor and memory management 
across a wide range of applications. However, such systems 
have rot come from the specialized microprocessor operating 
systems in use today. Such an operating system family could 
provide a major reduction of overall system software cost in 
the microprocessor environment. 

mm ceils thesis the substantial body of operating system 
design principles are applied to a methodical design of an 
operatine system “or the microprocessor environment. For 
realism the Zilog 2809086 microprocessor{i] is considered 
representative Ort modern features. Configuration 
Maaependcéence, distributed processing, multiple protection 
domains, multiprocessing and multiprogramming are addressed 
in the design of a secure operating system suitable for a 
family of operating systems: ranging from a specialized 
mectical system to a multi-user time sharing system. 

The thesis will also identify meaningful subsets of the 
design (viz., smaller nembers of the family) for potential 


use, and state hardware needed (future development) to 





implement the design to its fullest capabilities. The 
operating system designed in this thesis will be referred to 


as the SYSTEM throughout the thesis. 


A. MOTIVATION 


ioe processing power. of microprocessors is increasing. 
Ris Dower could be effectively coordinated by an 
operating system it could provide a more affordable and 
powerful product. In addition, there is a growing emphasis 
he protection of information stored and processed in 
computers; hence, the requirement for a system that also 
provides information security. 

The multi-microprocessor systems in use today suffer 
performance degradation as more processors (generally a 
maximum of 4 to 5) are added to the system. Sophisticated 
crossbar interconnections between processors and memories 
can reduce this problem. However, there is still a need for 
a combination of microprocessors and memory that do not 
suffer massive degradation as more processors are added. 

The ability to confígure a system to meet a variety of 
capacity needs is an important feature, however as software 
becomes an increasing portion of system cost, the ability to 
reconfigure the system as requirements change without major 
re-design effort is often an even more valuable feature. For 
this reason the design techniaue of resource virtualization 
will be applied as a way to realize configuration 


independence. 


B. BASIC ELEMENTS OF DESIGN 


Phe SYSTEM is composed of a suvervisor and a security 
kernell2]. The supervisor supports user services (dynamic 
linking, discretionary security, demand memory management 
and a hierarchical file system). The security Kernel 
controls the physical system resources (processors, memory, 
and external devices) to provide virtual resources for the 


supervisor. 
mee Process Structure 


A process within the computer system is an internal 
representation of the computational task of a user utilizine 
the system. Zach process is characterized by an execution 
point and an address space. Attributes of each process 
ide a security class authorization and a uniaue 
Identifier that corresponds to the user. BY supporting 
distinct, explicit processes the operating system allows an 
w Cation to be divided into several cooperating parts. 
Mara process structure leads to simpler more effective 


software. 
2. Segmented Virtual Memory 


Segmentation involves separating ae stored 
information into discrete packages called segments. Sach 
segment has attributes such as security class and access 
(read or write) permissions. A process” address space is a 


Bsj)ection of segments. Segmentation is used ody the 
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SV Sor to presert the user a random access virtual 
memory. Copies of all segments are kept on secondary storage 
until actually referenced, at which time room is made for it 
in main memory, possibly by removing ancther segment from 
memory. This demand memory manazement is done within the 
supervisor. The supervisor views a non-random access virtual 
memory. By presenting the supervisor and the user with 
Virtual environments the kernel establishes configuration 


independence for them. 
3. Distributed Overatine System 


The address space of each process has three domains 
(user, supervisor and kernel). The domains form sub=sets of 
the address space by limiting the segments that can be 
accessed when the process” execution point is within a given 
domain. The operating system 1s part of each process. It is 
dues tributed throughout all the processes in protected 
domains (supervisor domain and kernel domain). Maximum 
access is in the kernel domain. It is the most priviledged, 
and the traditional ‘privileged instruction can be executed 
only in the kernel domain. Only the kernel domain has access 
to system wide data bases. 

The kernel domain creates an extended machine for 
the supervisor and is supported by system processes. The 
Supervisor is less priviledged but provides the user domain 
with certain common services such as discretionary security 


and virtual memory. It should be noted that by distributing 


ee 





the operating system throughout all processes, services are 
independently (and simultaneously) available to each 


crocess. 


4. Processor-Local Memory 


The operating system is designed to support a 
INS processor configuration with a local memory in close 
Droximity to each processor. The local memory is addressable 
only by that processor. In addition there is a global memory 
that is addressable by codes sors (Figure 1). 
Segmentation is the key to effective allocation of 
information between local and zlotal memory. Problems can 
arise in the use of a local memory. If a process is allowed 
to execute on any processor then Sach time the process ís 
switched from one processor to another the contents of local 
memory must also te switched. Thus the use of local memory 
implies that gereral multiprogramming should not be allowed. 
This problem can be alleviated by allowing multiorogrammed 
processes to be semi-dedicated, that is make an effort to 


Meeeerict the process to a certain processor. 


Security Kernel 


Security cannot in general be built around a present 
system (i.e., added to) but rather a system must be built 
around security. Yet today there are a limited number of 
“secure. systems. One of the main obstacles in providing 


security is verifying the system is secure. The recently 
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developed security kernel[2] technology has made it possible 
Msi ve this problem. By keeping all the things that 
provide the security in the security kernel and keeping the 
things that do not involve security out, the security kernel 
can be kept relatively small and verifiable. The desire to 
keep the security kernel small (to simplify the verification 
procedure) is one of the goals driving several design 


choices. 


Ceo RUCTURE OF THE THESIS 


eerst, the fundamental concepts (process structure, 
virtual memory and security) end their relationshios to the 
EM are discussed. Second, the desien of the SYSTEM is 
Mmesented. This includes a discussion of the design 
techniques utilized as well as an explanation of the 


meee sed design. Third, the conclusions are presented. 
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II. FUNDAMENTAL CONCEPTS 





A. PROCESS STRUCTURE 


Beeaividing a job into asynchronous parts and executing 
these parts as seperate entities significant benefits can be 
realized. within a single processor system, the partitioning 
into asynchronous parts provides ‘only design simplicity 
(and thus software economy). In a multi-processor system the 
Dartitioning into asynchronous parts is essential if the 
varallel processing potential of the system is to be 


realized. 
mee Definition of a Process 


A process is characterized by an execution point and 
an address space. Saltzer[3] defines a process as a program 
in execution on a pseudo-processor. Zach process is assigned 
a unique identifier end is an explicit entity trat requires 
management. In a distributed operating system, those 
portions of the operating System that are logically vart of 
the sequential flow of control (viz., locus of execution) 
are within the address space of the user process. This is 
made possible by dividing the operating system aro 
procedures which are called like any other procedure. It 
should be noted that in a distributed operating system there 
is no master assigning processes to processors. Rather, 


each running process hands off its processor to the next 
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mmeeess that is to run. 
2. Multiple Domains 


To protect these procedures from the user, the 
process’ address space is divided into hierarchical domains: 
user, Supervisor, and kernel. The kernel domain is the most 
privileged. Only the security kernel executes in this domain 
and can access all segments within the address space. All 
system wide data bases are restricted to access by the 
security kernel to prevent any exchange cf information 
between processes, in violation of confinement[2]. There 
could be more than three domains, and all domains need not 
Memmerarchical, but three is minimum for this design. 

The supervisor domain is less priviledged end 
excludes segments representating the management of the 
shared resourses. The supervisor domain is sevarated from 
Meemuser to protect the user from inadverently destroying 
the operating system services. The user domain is the least 
priviledsed. The data bases utilized by the supervisor 
Bemtain only process local information - that is, 
information that is required by this process alone. 

Proper controls and checks are utilized when 
chin the domains (flow of control) so that the security 
policies are not violated. Ihe mMhierarchy could... De 
implemented with rings[5] in hardware. Since hardware rings 
are not available in microprocessors, separate segment 


descriptors for each domain car be used, with software ring 
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changes as was done in the original Multics design[6). The 
Zilog Z887 can use multiple memory management units (MMU) 
to provide the separate descriptor for each domain. 
Operating System procedures generally are permitted 
to reside within the local memory (possibly ROM) of each 
Mmegeessor. Inxthe cases of the security kernel, some of the 
data bases of these procedures are shared by all processors 
and therefore will reside in global memory. To prevent 
undesired intervention by simultaneous accesses to these 
data bases a locking scheme must, of course, be orovided. 
Choosing to out the operating system procedures ín each 
local memory will waste memory but may well provide a 
higher performance by keeping most memory references to 
local memory where there is no contention for the BUS to 
Ba memory. In a specific instabce the choice will be 
determined by whether or not the cost of memory is 
Significant when compared to the value of the increase in 


performance. 


Pewee Communication and Synchronization 





pane lll processing, a Job that is composed of a 
mixture of sequential and non-sequential tasks is explicitly 
iIded into an appropriate structure of processes that can 
run concurrently. Inter-process communication and 
syackrcrization are necessary for parallel processing. 
Bater-vrocess ommo caon provides synchronization to 


coordinate the exchange of data between processes. The 
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actual exchange is realized by use of a shared writable 
segment. This segment acts like a mailbox in that messages 
(data) can be delivered by any process that has the 
appropriate access (both discretionary and 
non-discretionary). 

The synchronization between processes iS Supported 
by the BLOCK and WAKEUP, which are kernel calls to the 
Ber controller. It should ve noted that the P and Y 
semaphores[7] are useable for synchronization but were not 
chosen. MI aee Controller Concept is taken from 
Saltzer[3)], and his block and wakeup have demonstrated their 
meanness in his design for Multics. The traffic controller 
is the operating system (kernel) module that manages 
processes. The traffic controller has tae job of scheduling 
user processes. The traffic controller does this by 
multiplexing the users processes onto a limited number of 
Temal processors. 

MeL LOCE and Ade ame primitives of the traffic 
Gomcroller that provide synchrenization for the user 
processes. How the user's procedures invoxe the BLOCK and 
WAKEDP? primitives will, of course, determine the actual 
process structure. These orimitives can be used to provide 
Semple cooperation, such as mutual exclusion, or complex 
teractions wher required by the application. A process can 
any block itself and cannot block another process. The 
block invokes the traffic controller and the traffic 


Somvroller puts that process in the blocked state and then 





schedules another process to run on that virtual processor. 
The process that is scheduled next is based on the specific 
Semeauling policy of the traffic controller. 

The wakeup is used to provide asynchronous processes 
a synchrorízation signal. The parameter passed with the 
wakeup is the process ID of the process for which the wakeup 
is intended. The wakeup invokes the traffic controller. The 
Mae controller checks the state of the process specified 
by the parameter. If that process is not in the blocked 
State the traffic controller returns, otherwise he will out 
that process in the ready state and determine if there is 
Beer process running with a lower priority. If this is 
case the traffic controller will send the virtual 
processor that the lower priority process is running on a 
pre-empt Mero) word, then” retüura. The process that 
receives the pre-empt interupt will transfer control to the 
NAS controller who will in turn schedule the ready 
Dascess with the highest priority. 

ARo erT STSTEM module concerasd with synchronization 
eri ner traffic controiler. This manases the hardware 
(real) processors to create the virtual processors thet are 
managed by the traffic controller. The inner traffic 
controller provides the interface between the virtual and 
physical (real) processors. The inner traffic Controller is 
responsible for assigning the small, fixed number of virtual 
Processors to physical processors. Bach physical processor 


has associated with it several virtual processors. Some 
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virtual processors are multiplexed between users processes 
by the traffic controller. The remaining virtual processors 
are allocated to the system processes. Bach system process 
is assigned a virtual processor. The inner traffic 
controller determines which virtual processor will run on 
the physical processor based on the priority assigned to 
each virtual processor. The primitives SIGNAL and WAIT are 
used by the inner brabtic comi roller to provide 
communication and SachmenlTzation between the virtual 
processors. SIGNAL and WAIT are very similar in form and 
function to BLOCK and WAXEUP, except for the fact that they 


relate to virtual processors rather than user processes. 


eee system Processes 


System processes are used to perform operating 
Seem functions that are asynchronous to each user process. 
System processes are tyvically responsible for the shared 
resources. The system processes are in the kernel and 
therefore permitted to access information of any access 
class. The system processes include the I/O MANAGER and 


MEMORY MANAGER. 


5. Process piesa ae) E 


Process switching is the removing and assigning of 
Processes to virtual processors. When a process switch 
occurs the execution point (internal registers) and address 


Space of the process being removed must de saved (unloaded), 


ZU 





and then the execution point and address srace of the new 
process must be loaded. 

Some systems ütilize a descriptor base register 
NO, p.12], which is a pointer to multiple descriptor 
Bein memory ~ one list for each process. To change the 
address space you only need to switch the DB3R in the 
physical processor. However, in microvrocessor systems a 
descriptor list is implemented as registers in the memory 
management unit (MMU). Process switching can be costly wher 
MMU registers are saved and restored for each change in 
address space. Alternatively, it 1s possible to increase the 
number of MMUs and then the address sace could be changed 


Pees t switching control to another MMU. 


B. SEGMENTED VIRTUAL MEMCRY 


In many memory handling schemes 2 user process .Cannot 
Aia til there is sufficient memory available to load its 
entire address space. This requires large main memory and 
restricts the size of the process’s address space. An 
alternative is to use the operating systen to produce the 
illusion of an extremely large memory. Since the large 
memory 1S merely an illusion, it is called virtual memory. 
Demand segmentation is a memory management scheme which is 
used to realize the concept of virtual memory in tris 
design. 

Memory has three different views which corresponds to 
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the three different domains (user, supervisor, Kernel) 


= 





Ban the computer system. Starting with the user, each 
view is derived from the previous view by means of an 
"extended machine view. The user sees a practically 
unlimited segmented virtual memory. Th2 user is no longer 
involved in memory management. Demand memory management is 
utilized to interface between the user view and the 
supervisor view. 

The supervisor views a fixed amount of virtual memory. 
The memory is fixed by the physical memory allocated to each 
process by the kernel. The kernel establishes a mapping 
between the supervisor memory and the kernel memory. The 
memory is virtual because there are only absolute addresses 
in the kernel. The supervisor multiplexes the user's 
segments onto this fixed virtual memory in response to a 
hardware fault when the process references a segment that is 
not in memory. The demand memory management was placed in 
the Supervisor because it is not involved with security and 
want to keep the security kernel as simple and small as 
possible. 

Tre xernel views a fixed physical memory. The physical 
memory is limited by the local memory available to the 
processor for use by the user processes. There is some 
minimum amount of memory required by the operating system 
reach processor. Before a vrocess is elzible to run, its 
fixed virtual memory (of the supervisor) must be mapped into 
the fixed physical memory of the processor. We then call the 


process loaded. The kernel’s memory manager is responsible 
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for the proper mapping as the processes address spaces are 
multiplexed onto the processor’s physical memory. 

The idea is to require that a limited amount of the job 
be resident in memory. When the user requests a portion of 
the process that is not currently in memory, a fault will 
occur. The supervisor, using the demand memory manaser, must 
find the requested segment and decide where it wishes to 
place the requested informaticn in virtual memory. The 
ANS isor then sends a request to the kernel to bring this 
information into memory, thereby repairing the fault so that 


normal processing can resume. 


1. Segmentation 


In most micro systems, the user cannot effectively 
share memory because the different uses of memory can not be 
specified. The inability to specify the memory use makes 
memory management difficult, especially when there is memory 
local to each zrocessor. The different uses are denoted by 
shared/unshared and writeable/non-writeable (read). The 


following matrix lists the uses and where they may reside. 


writeable ron-writeable 


A A mn u e A A A A AO DD a a ee O «ED A nn 


l 
l 
| 
shared global ¡| Llocal/zlobal 
| 
1 


unshared 


If the memory can be divided by uses and each part has 
attributes which distinguish the uses, then the management 


of memory is made reasonatle. 
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Segmentation provides the ability to divide the 
memory into parts (segments). A segment is a collection of 
information important enough to be given a name. Each 
segment is distinguished from others by its logical 
attributes, that provide the basis for the desired control. 
segmentation provides a mechanism for a limited portion of a 
processes” information to reside in memory at any one time. 
This also facilitates easy movement of information by 
segment in and out of memory. The collection of all segments 
that a process may access (whether or not in physical 


memory) is what composes its address space. 
ee Loading 


The loading of a segment consists of finding a 
segment and making it known (discussed later) to the 
requesting process (viz., adding the segment to the address 
space). It is the added feature of segmentation that this 
loading may be delayed until the segment is actually needed. 
At that time a segment name can be transformed into a fils 
System pathname. The pathname can then te resolved into the 
unique identifier for a segment. Then the supervisor 
requests a segment number be assigned by the kernel, which 
makes the segment known to the process. If the segment is 
meme required for execution it is physically loaded into 
memory when actually referenced. 

Each segment has associated with it a segment 


descriptor({6] which contains its attributes (address in 
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memory, size, access allowed). Since this descriptor is 
referenced by the hardware at @ach access request to this 
segment, then the memory uses can be distinguished. The 
different segment descrivptors of a process can then be 
Pomraned in a descriptor list. This design utilizes the MMU 
(memory management unit) which consists of a set of 
registers to implement the descriptor list. Each register 
Mamen: descriptor) contains the descriptor of a particular 
Segment. The MMU registers retain the distinct attributes of 
each segment at execution time and, therefore, makes it 
possible for another process to share selected segments, if 
ie Sared. 

The dynamics of a segment fall into two classes, 
physical and logical. An example of the physical dynamics is 
the request of a user for write access to a currently used 
segment. The operating system can vhysically move the 
segment from local to global memory so the segment can be 
shared without the user's knowledze. A stack segment whose 


size varles is an example of logical dynamics. 
ee Dynamic Linking 


When a procedure segment makes an external reference 
to another segment, the address of the later segment must be 
ermined. This is called linking, the constructing of 
mmemeutable instructions that achieve references to externel 
objects (segments). Linking need not be completed at load 


meme. It can be postponed until the actual reference is 





Sima tered. This waiting to lins, until referenced, is 
called dynamic linking[2]. Segmentation is not necessary to 
achieve dynamic linking, but it helps. When a process begins 
execution, it should not have to find and bring into memory 
any more of its segments than is absolutely necessary to 
begin running. The mere presence of a reference to an 
external segment in a segments text is no guarantee that the 
flow of control will touch this reference. Therefore, there 
It tle point to undertake the expense of finding a 
segment and making it known unless there is some significant 
expectation that that segment will be referenced during the 
Mime alictted to that process. Dynamic linking permits 
unnecessary linking to be eliminated. 

Once the segment has been made known to the process 
(assigned a segment number), even though it may be moved in 
and out of memory, the references to this segment need not 
be changed since the segment number remains the same. The 
segment descriptor is used to reflect the presence of a 
segment in memory and the current address in memory. The 
ement looses none of its attributes by virtue of having 


been made known to this process. 


eee [Information Sharing 


Segmentation allows direct addressability by the 
process to any segment within the process” address space. 
The basic advantage of direct addressability is that the 


copying of data is no longer mandatory. A segment is also a 





unit of sharing. This eliminates the need to duplicate a 
segment for each requesting process and saves memory. Even 
more important is the idea that sharing provides a means of 
mear process communication. This is important for realizing 
the power of the explicit process structure, that is 
essential to an effective multi-processor environment. 

In general each procedure segment must be pure to 
ensure sharing is implemented correctly. A pure procedure 
operates on variables in registers or in separate data 
segments associated with the process. It never stores data 
internally, nor does it alter itself. The linkage segment is 
Such a data segment used to support the pure procedure. A 
linkage segment is associated with each process. The linkage 
segment is composed of linkage sections. There is one 
linkage section for each procedure segment. The linkage 
section is used to place all alterable information (linkage 
faults, segment numbers, other static temporary variables) 
for the pure procedures. Thus, the processes” segments which 
are pure may be shared while linkage sections must te unique 
to each process. The fact that the linkage segments are not 
shared makes it possible to assign different segment numbers 
to the same procedure in different processes since segment 
mameers occur explicitly only in linkage segments, that may 
be different for each process. 

PI OACI ar ais Gesien is to place the copies 
of requested segments into local memory, thereby reducing 


the data bus traffic. If the read-write access requirements 
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are such that a segment must be physically shared, then it 
is placed in global memory and every process that is given 
access will access it there. The key to this memory 
management is segmentation that keenps a segment’s attributes 
explicit. The xernel can properly manage vlacement in local 
and global memory with no intervention from the supervisor 


or the user to ‘declare that the sharing is needed. 
pee access Control 


The access control in this design is separated into 
discretionary (supervisor) and non-discretionary (security 
kernel). When a segment is requested the supervisor 
references the access control list attribute for that 
segment and the access authorized for that process (subject) 
is determined. The supervisor then passes this to the 
security kernel so that a non-discretionary check can be 
made. The kernel compares the access class of the segment 
taa t of the process and the appropriate access is 
allowed. This access authorized is always the lesser of that 
reguested by the Supervisor and that permitted by tne 
kernel. The access one process has for a segment is 
independent of the access another process has for that Same 


segment. 
6. Yunctional Subsets 


Some members of the family of operating systems will 


Bears inelude all of the functions made available by this 





design. As an example, consider a family member (e.g. for 
tactical system) supporting applications that are entirely 
Bement in memory and pre-linked. It would require none of 
AMEN rtual memory functions provided by the supervisor. 
This design readily aCetis sort of functional 


subsetting because of its loop free structure([9]. 


ASE CUR 1TY 


The increased capability of the computer system in the 
last decade has dramatically increased its possible uses. 
Many users nave actively allowed the computer system to 
assume an increasing mumber of jobs upon which the user 
depends to successfully function. As more dependence was 
placed on the computer it became evident (regrettably by 
example) that a knowledgeable user (employee of a user) who 
has access to the computer also has access to all the 
meeermabion contained within the system. Users such as the 
government (classified information), banking facilities 
(transfer of funds), corporations (trade secrets) have a 
need to protect certain information from specific users, 
therefore, there is an increasing demand for a secure 
computer system. Designating a specific computer to only run 
Bar specific security class or only running certain 
security classes at specific times has proven unsatisfactory 
for the user who has information at many access classes. 
What iS commonly called a multilevel environment is one in 


which information and users at different security classes 
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can exist simultaneously on the same computer system without 
permitting a user to access information he is not authorized 
to use. One goal is to design a system which will allow 


secure operation in a multilevel environment. 
1. Computer Security Problems 


The initial attempts to provide a secure system 
involved adding security onto existing systems. This proved 
largely useless for designers were intuitively trying to 
block methods of would-be-penetrators Tather than providing 
a technically sound system design. These futile attempts [13] 
led to the emerging technique of methodically designing a 
secure system based on a security kernel derived from a 
mathematical model (discussed later). 

Information security can be provided by external 
and/or internal control. External control includes guaris, 
watch dogs, door ciphers or anything which would prevent an 
unauthorized penetration of the compound. Once pce 
penetration is made, the pot of gold is exposed. The 
internal control is concerned with preventing unauthorized 
penetration of the computer system. This involves insuring 
the effectiveness of internal mechanisms in the operating 
system so that only authorized exchanges of information in a 
multilevel environment can occur. This includes providing no 
information to unauthorized users and consistent replies to 
security violations. The latter is necessary to insure no 


inadvertant leakage of information[4] concerning the 
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internal mechanisms. External control is expensive and 
human-prone. It does not provide for the secure sharing of 
information needed by many applications, thus forcing users 
to forego many of the capabilities of modern computers. A 
goal of this thesis is to design an operating system that 
Mreeviaes Information security by utilizine internal control. 
External controls are, of course, still required to 
physically protect the computer systems information. 

The reference monitor is an abstraction created to 
present the conceptual idea of providing a Secure computer 
Bene ine reference monitor is composed of subjects, 
objects, and an access matrix. Subjects are system entities 
such as a user or a process thet. can access system 
resources. Objects are system entities such as data, 
programs and peripheral devices that can be accessed by 
subjects. The access matrix represents the permitted 
accesses between subjects and objects. The reference monitor 
must support the ability of subjects to reference objects as 
per the access matrix and it must also Support the ability 
to alter the access matrix. 

The security kernel[2] is a relatively recent 
eemi cal breakthrough for computer security. The security 
kernel is that portion of the computer’s hardware and 
software which enforces the authorized access relationships 
eeen subjects and objects. It is the realization of the 
abstract concept of a reference monitor. The software 


portion of the kernel acts as an interface between the rest 
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of the system and the hardware. The software content of the 
security kernel is influenced by the hardware features of 
Pees processor. The underlying idea is that if the hardware 
is proven correct and if the software is xept small and it 
can be proven correct, then we can provide internal security 
controls that are effective against all possible internal 
attacks. Global variables such as the unique identifier have 
been excluded from the supervisor. This has been done to 
prevent undesired leakage of information. The global 
variables are placed in the kernel where their proper use 
can be verified[11]. 

The security kernel must meet three essential design 
requirements. First, the kernel must be tamperprocf. Second, 
the kernel must be invoked on every attempt to access 
information. Every reference must be checked by either 
software or hardware that is provided with sufficient 
information to make correct decisions on granting or denying 
access. na llys the kernel nust be subject HO 
certification. "Subject to certification implies that the 
kernel’s correctness must be proveable in a rigorous manner 
Using a mathematical model as the basis for the criteria to 
de met. 

In developing a secure system the approach to be 
meormecowed should consist of the following: determine the 
security policy to be enforced, develop a mathematical model 
consistent with desired security policy, desigr a security 


kernel based on the mathematical model, implement the design 
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using available hardware and required Software. A computer 
system is said to be “secure with resvect to some specific 
SEDA” policy. A security policy consists of the external 
laws, rules and regulations that establish what access is to 
permitted. There are two distinct types of security 
eey: non-discretionary and discretionary. 
NON-DISCRETIONARY POLICY involves checking the 

requested (viz.,the objects) access class (oac) with the 
access class of the (subject) requestor (sac) to insure they 
are compatible. Each system contains a lattice structure[i2] 
that defines the relationships between different access 
classes. The following defines the access permitted: 

sac=0ac, read/write permitted 

sac>oac, read permitted 

sac<oac, no access 
The lattice can be totally ordered (all classes related) or 
it can be partially ordered (not all classes related). An 
example of a policy with totally ordered classes would be 
the government classificaticn (unclassified, confidential, 
secret, top secret) of information, oac and the access class 
of its” users, sac, called the user's clearance. For such a 
lattice policy the system must insure that access to 
classified information is always confined to cleared users. 

DISCRETIONARY POLICY involves checking an access 

control list (ACL). If the user requesting access is not 
included on the ACL then the access is not permitted. This 


allows users to specify who can access their files. This 
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DOY. really lies within the non-discretionary structure 
and provides further refinement. This policy would reflect 
the "need to know rule of DOD. 

There are many distinct system designs which 
correspond to the almost endless number of policies; 
however, the current state of the art allows a Simple, 
NAO Tm mechanism for nearly all practical policies. Tre 
implication is that the kernel designer does not have to 
Bogen himself with the particular security policy of a 
specific customer. He must, however, consider the two broad 


classes of policy: discretionary and non-discretionary. 
2. Mathematical Model 


A mathematical modelf[i3] is a powerful design tool 
meer ormally translating the requirements of security policy 
into a precise representation of the behavior of the 
corresponding security kernel. The mathematical model is a 
finite state machine model that gives a set of rules of 
operation for making a state transition, If the system is 
initialized to a secure state, then the rules of operation 
guarantee that all subsequent states are secure. Previous 
research [14] has proven that security kernels whose design 
ea sed On mathematical models can be certified correct. 

moo he basic elements of tìa model are subjects 
Ao o jects. The model defines types of accessés that a 
subject may have to an object. These access types are read 


and/or write. The state of the system with resvect to 


54 





non-discretionary and discretionary security is represented 
by four sets (db, m, f, h). This design implements 
non-discretionary security policy in the kernel (sets b, f) 
and the discretionary policy in the supervisor (sets m, h). 
The folowing discussion pertains to non-discretionary 
security. 

b - represents the current access relationships that 
exists between all subjects and objects. This set is 
represented by the segment descriptor list, viz., the 
contents of the hardware registers in the MMU (memory 
management unit). 

f - gives the access class of all subjects and 
Sects in the system. This set is distributed in this 
design: the process’s access class is found in the active 
process table (APT) and the segments access class is in the 
active segment table (AST). 

The desired properties of the system are then 
realized in the form of rules. These rulss enforce the 
desired security policy by manipulatinz the sets which may 
or may not change the State of the system. If the state of 
Mes ystem is Changed it must guarantee that the new state 
is secure. 

The discretionary security policy is enforced in the 
suvervisor. This design decision was made because of the 
lesser importance of need to know controls to the 
military, and to keep the kernel small for ease of 


verification. 





The sets which are used to enforce the discretionary 
policy are m and h. 

m ~ corresponds to an access matrix which represents 
the potential access of the subjects to objects (implements 
the need to know security policy). This set is represented 
by the access control list for the segment (object). 

Mae una i Capes sow the objects dre hierarchically 
Omeemrzead in a directory tree structure. The hierarchical 
tree structure consists of nodes, leaves, and a root from 
Walch the tree eminates. The nodes represent a directory 
segment (list of attributes for other segments) and the 
leaves represent non-directory segments (data or procedure). 
A user is free to create either directory or nor-directory 
segments. The ability to add directories implies that a 
user, if he chooses, can add to the overall system hierarchy 


a subtree of arbitrary depth. 
NETO DVerties And Conditions 


There are a few basic security properties which 
need to be considered: 

STMETNZESBEURTITY CONDITLON= this condition addresses 
the problem of security compromise. If in set bd all subjects 
have an access class greater than or equal to the access 
Be of their objects, this condition is satisfied. This 
menres the subject only reads information at or below the 
Bass fOr which it is cleared. 


CONFINEMENT - this property addresses potential 
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(rather than actual) security compromises. If all subjects 
could be trusted to perform in a proper manner (with respect 
to security), then this property would not be needed. The 
memes that unless a program is proven to behave in a 
certain fashion as described by the mathematical model or 
formal specification, we cannot make any Statements 
concerning its behavior. We must therefore make the 
Seoumobion that the programs will attempt to violate 
security regulations. Subjects are therefore assumed to be 
MAS twortay. The potential for a security compromise 
Bee when a subject has simultaneous read access which is 
at class a and write access at class b (class a class b). 
For example, the potential for compromise is realized if two 
events occur: (1) the subject reads secret information from 
the secret object and writes it into the unclassified 
object. (2) a second subject whose access class is 
unclassified gains access to this (nominally unclassified) 
object and reads the secret information. There are two ways 
mmmoreventing this type of situation from occurring: high 
water mark and confinement property. 

High Water Mark - upgrade the class of the file to 
the highest class requested. This Soup. Oo, wnile 
technically correct, would over classify information so that 
it would not be available to normally cleared subjects. 

Confinement Property (*~-Property) - this property 
meaquires that all objects to which a subject has write 


access have the same access class as the subject and that 
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all objects to which it has read access have an access class 
less than or equal to the access class of the subject. Since 
Ao ect will always have write access to some object if it 
is to perform a computation, we define the current access 
class to be that class at which the subject wishes to have 
write access. Since all subjects are assumed untrustworthy 
with respect to security reauirements, the confinement 
property eliminates the certification requirement outside 
the security kernel. This eliminates the immense job of 
certifying the supervisor and the user programs. This 
property is enforced in the xernel by not allowine any 
subject write access to an object with a lower access class. 

PONE BI PROPERTI -If an object in the 
Mmeenmanechical structure is inferior (child) to an object 
(parent) and the access class of the parent is greater than 
that of the child, then a subject with an access class the 
Same as the child can never access that information since it 
Samemnot access the access control list which is zept in the 
prent. In order to avoid this problem we introduce the 
concept of “compatibility . AB Lerarcay 815 compatible if 
access classes are non-decreasing as one moves down the 
hierarchy from the root. The access class of an object in 
the hierarchy must always be greater than or equal to the 
access class of its parent. Since the root has no parent its 
security attributes are implied (viz., are the ‘lowest of 
any object). In this design compatibility is enforced in the 


kernel, but not in the traditional sense of enforcing the 





access relationship of the parent/child hierarchical 
Sarmerure> There is no hierarchical structure in the kernel. 
When the segment is created the compatibility is implicitly 
enforced before the request is allowed. 

The reference monitor is an abstraction of the 
hardware and software mechanisms that mediate all attempts 
Dto ects to access objects. The decision to permit or 
deny access is determined by the security kernel. The 
mathematical model is an interpretation of the reference 
monitor abstraction and describes the behavior of a secure 
system in terms of four component data bases (db, m, f, h) 
and rules of operation. These rules specify how the date 
base may be changed, they represent an authorize 
Menton. The security kernel can only allow subjects to 
access objects as permitted by its representation of the 
models set b. The data base of the security kernel must 
correspond to the models data base and can only change as 
permitted by the models rules. 

ime reference monttor ot a physical computer system 
is realized by a combination of software and nardware. The 
portion required in software depends on the capabilities and 
limitations of the hardware. There may be objects to which 
the hardware can not properly control access and there may 
be alternative representations of the same security state. 
Bither one of these situations require a kernel function 
that does not change the security state. In the former case 


there would be one or more functions to permit interpretive 





Ss to an object) 1n the latter there would be functions 
for changing the representations of the security state 
without changine the actual state. 

Thus the functions of tne security xernel 
software[2] fall into three classes that corresvond to the 
fundamental operations of authorize, access, and null: (1) 
functions that correspond to the rules of the model, thus 
changing the security state; (2) functions that implement a 
part of the reference monitor by allowing interpretive 
Bess to objects as permitted by the current security 
state, thus complementing the hardware access controls ard 
(3) functions that change the representation of the current 


security state. 
4. Segmentation 


The mathematical model addresses abstract subjects 
and objects. In tais design subjects are the processes and 
the principal information objects are Segments. Processes 
(subjects) can only access segments (objects) as permitted 
by the access controls. Every segment has associated with it 
logical attributes (access class, size, read/write 
permission) which are made visible at the time of actual 
Barerence to the information. By includizg access control as 
DEN. of the logical attributes, a way to control access to 
the information in the system has been vrovided. Only 
‘authorized accesses are allowed. 


Segmentation provides the mechanism so that all 
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cane information stored in the system is Aare ci y 
addressable by a processor and hence available for direct 
reference by any computation. A basic advantage of direct 
addressability is that users can physically share a single 
Gomme A concern which arises from Sharing is that 
information may be passed illegally between users. This is 
prevented by the enforcement of the confinement property and 
the simple security condition. The copying of data is no 
longer mandatory as many users can share a single copy with 


controlled access. 


5. Hardware Requirements 


There are no absolute hardware requirements for 
SNTE. computer systems, any hardware is theoretically 
@eeepvible. Given the current state of the technology, 
however, certain hardware features are essential if we are 
to build efficient secure systems[2]. These essential 
features reduce and simplify the software portion of the 
feeurity zernel. Reduction and simplification of software at 
the expense of additional hardware is necessary because 
producing proveably correct software and hardware in the 
Geert ty Kernel is a necessity to achieve computer security. 

One of the essential features is support for a 
segmented memory. Segmentation allows all information in the 
Sem tO oe stored in one tyne of object, the segment. 
Having to support only a single object type simplifies the 


kernel. Segmentation allows all information in the system to 
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be ccmpartmentallized into individual packazes called 
segments. Every segment has associated with it access 
controls as previously mentioned. Only authorized accesses 
as delineated in the access control list and allowed by the 
access class are permitted. The address of information is 
composed of two parts (segment #, offset). It is necessary 
to efficiently resolve the two dimensional address into an 
absolute address, therefore segmentation should be 
implemented in hardware. 

The other essential hardware feature is multindle 
execution domains. This feature is used in most contemporary 
Systems to protect operating systems from applications 
programs. Strictly speaking only two execution domains are 
necessary (one for the kernel and one for everything else), 
Bin practice it will still be desireable to continue to 
Protect the operating system from applications software 50 
three domains (kernel, supervisor, user) will be used in 


Darst design. 
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ee DESIGN 


A. DESIGN TECHNIQUES 


When designing an operating system there are several 
memeacheS to consider: top down, bottom up and middle out. 
Although most designs begin as top down or bottom up they 
generally end up as middle out. In the design there are 
several design choices availatle to the designer. In some 
pases a certain design choice will preclude the ability to 
Amze a specific design later on in the system design, 
Bein other cases a specific design choice could be a 
driving force to dictate other design choices. For example 
in the SYSTEM the design choice was made to keep the kernel 
relatively small to reduce the verification process. This 
particular choice became a heavily weighted factor when, for 
example, deciding where to support the demand memory 
management which ended up in the supervisor. Following are 
some of the design techniques that contributed to the 


SYSTEM. 


1. Resource Virtualization 


Daten virtuall processors ard virtual memory 
throughout the upper levels of the design, most of the 
design is independent of the physical configuration. The 
SYSTEM provides the virtual to real binding in the kernel. 


This permits changing the configuration to meet user or 
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maintenance requirements without major changes to the 
system. Since the processes are assigned virtual processors 
there is no effect on the user when real processors are 
added or deleted (except for the change in performance). Of 
particular interest was the ability to add and delete 
processors to the SYSTEM. More important was to develop a 
design that allowed good capacity growth with the addition 
of processors. In general, configuration independence 
implies that the hardware (processors, memory and 
peripherals) can be reconfigured without causing any 


problems visible to the user. 
ra Distritutegd System 


Mei To TEN as distriovuted logically and physically. 
Logically, portions of the operating system are distributed 
within the address space of the users process within the 
supervisor and xernel domains. The use of domains permits 
me process to maintain its security attributes while 
interacting with the operating system. 

The physical distribution of segments among the 
individual local memories provides performance (provides 
high speed memory access and limits BUS contention). The 
physical distribution allows the tradeoff of memory (viz., 
multiple copies) for performance. Although one of the 
potential benefits of segmentation is sharing of pure 
procedures the choice was made to disregard this benefit 


when possible (no user has write access). This allows the 





segment (viz., a copy) to reside in local memory to reduce 
Bureeeecontention. The initial hypothesis is that the memory 
wasted (much of it possibly ROM) is a small price to pay to 
allow performance to grow well with the addition of 
processors. This addresses tne problem that in typical 
multiprocessor systems capacity scales poorly because of 
increase load on the BUS. However, this choice is not 
fundamental to the design and could be changed to eliminate 
multiple copies. 

Ami larly fror processors, processing is distributed 
to processors to eliminate the dependency on a single 
Controlling unit. The system wide data bases are kept in 


EOS Memory providing access to all processors. 


eee Multiple Protection Domains 


The foremost consideration in the design of the 
SYSTEM was security. This is acheived by use of the security 
kernel technology, and segmentation provides one of the xeys 
Movi ding security within the system. The set of segments 
that are accessible is defined as a domain. The conventional 
two state system does not provide the desired support for a 
secure system. For this reason the 2-state (and associated 2 
domains) is generalized to a hierarchical u-domeia 
systeml8]. In the design of the SYSTEM (a minimum of) 
S-domains were considered adequate - user, supervisor and 
kernel. In addition, the design permits that, based on user 


application, a number of user domains could be supported. 
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Each domain is in concept similar to a ring[5]. The 
authorized access of a process is determined by the current 
ring of execution. The access within the different rings 
form a set of nested domains. Ring @ (kernel) is the largest 
Sana ring n-i is the smallest. 

The ring structure with the associated controls 
provides a means for regulating the information that passes 
between domains (rings). Cross-ring calls and parameter 
passing are well defined[(15]. When the proper controls are 
used they ellow outer rings to make requests to inner rings, 
ais o protect the inner rings from unintentional or 
Menti onal tampering. The ring structure when combined with 
Segmentation provides mechanism for the design of an 


effective secure system by protecting the secure kernel. 


4. “Multiprocessing 


The process Structure provides the essentials for 
Seieaete] processing: supoort for a set of assyachronous 
processes that can communicate with each other. Parallel 
processing does mot require a multi-processor environment. 
However, in a mul ti-processor environment parallel 
processing can provide faster completion of a job. 

There are many applications for parallel processing 
within tactical as well as non-tactical systems. whenever a 
jod depends on a mixture of asynchronous and synchronous 
tasks and time is a factor, parallel processing is a 


possible solution to getting the job done in the allocated 
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we By using several processors working on the same job, 
each doing seperate tasks, the overall time required to do 
the job can be reduced (rrovided the job has been structured 
into explrer t processes). In microprocessors where 
processors are relatively inexpensive and slow, parallel 
processing may be the answer to keeping the cost down while 
See being able to complete the job in the required time. 
The above discussion provides some of the major reasons why 
the SYSTEM was designed to support parallel processing on 


ple processors. 
5. "Cache Memory Strategy 


4 cache memory is generally thought of as a small 
amount of high speed memory that is utilized with a large 
low speed main memory in a system to construct a memory 
system that appears to be a larger high speed memory. This 
appearance of a high speed memory is generally possible as a 
result of locality of reference/[1&,p.301]. 

In a multiprocessor environment, where each 
mMmecessoOr has its own cache memory, problems arise when 
accessing snared memory. The main problem being that snared, 
writable memory cannot be put in a cache. Segmentation 
allows the assignment of attributes to Segments, which 
provides a way to ¡identify cacheable segments (those 
segments that are not writable and shared). 

In a multi microprocessor system where BUS 


contention can become a problem a cache memory strategy 





could be quite effective in reducing the number of requests 
to the main memory, even though the cache and shared memory 
are the same speed. The main advantage is avoiding access to 
the system BUS rather than the increase in speed of the 
actual memory access. The SYSTEM uses the strategy of a 
cache in the form of a local memory per processor. Now 
rather than teing a copy of what is in global memory the 
local memory (cache) becomes the place where the data is 
stored instead of global memory (note that with a cache, 
global memory need not contain a cosy while the information 
SO the cache). 

Bach processor has its own local memory which is 
relatively large in size where cacheable segments are 
stored. This means that large blocks of data will be moved 
when a process is removed from cne processor and 
(subsequently) loaded on another processor. In addition a 
global memory is utilized for shared writable segments 
(unencacheable segments). Segmentation allows the SYSTEM to 
Mieebrze the concept of caches and main memory but in the 
form of local and global memory. The overall reason is the 
same (speed up memory access), but in the SYSTEM this is 
w eved by reducing the BUS contention through directing 


most access to local memory. 
Oo. Multiprogramminzg 


In a syStem waere there are more processes than 


processors there must be a means of switching processors 





NOM process tO process. Some reasons for switching process 
eee Current process completes, a higher priority process is 
za, current process ís blocked, or current process is 
waiting I/O. Whatever the reason for switching, there are 
Semen things that must be done in performing the switch: 
first, save the address Space of the old process as well as 
beemeecurrent execution point represented ty a portion of the 
processor state, and secondly, reloading the address space 
and previous execution point of tre new process. The process 
Switch must occur in a specific sequence to insure the new 
Process resumes execution at the same point and in tne same 
logical state as when it was previously switched. In the 
Seer re-establishing the local memory to its previous 
State becomes part of the process switch (when switching 
user processes). 


Because of the overhead (unloading and loadin Su 


Uy 


the MMU registers) associated with process switches, 
provisions are included to make the processes semi-dedicated 
to a processor and thus maxe the requiremert for memory 
eemeecneS inirecuent. In order to make the process switch 
totally hidden outside the kernel, the segments that were in 
memory the last time the process was executing must be 
meded in memory prior to allowing the process to resume 
Ereeution. The lack of a DBR [6,9.12] is a problem, but 
Saving cooies of the MMU, that can be reloaded when required 


reduces the severity of the problem. 
7. Family or? Operating Systems 


49 





Dhesdesyens)ssrhis thesis is not really for a single 
operating system, but rather for a whole family of operating 
systems. For any specific system the family member chosen 
Meends On the functions required. A tactical system which 
Static in mature does not require many of the user 
ces supported by the SYSTEM. For this reason the family 
member that consists of only the kernel could be tne 
meeeitic operating system chosen for a tactical system. A 
general purvose time sharing system, on tae other hand, is 
very dynamic in nature, utilizing large address spaces, 
Variable rumber of users, etc. The family member that 
ports dynamic linking, a hierarchical file system and 
demand memory management cculad te the specific operating 
system for the gereral Durpose time sharing system. 

Eran SS ten... sub-settinz Teiers to. the ability 
MONO rm meaningful sub-sets of an Operating system. In the 
Merten oz the SYSTEM a sub-setting capability was one of the 
goals. The structure is such that many of the services 
provided by the SYSTEM can be eliminated without effecting 
the usefulness of the remaining system. That is the SYSTEM 
Can be tailored to fit a number of specific reauirements. 
meso iS made possible primarily by utilizing a locp free 
structure[9] within the design. For explanation purposes 
consider the operating system to be composed of modules. In 
a loop free structure tre dependency is inward or downward 
(toward the hardware), depending on your point of view. A 


mocule only depends on another module at a lower level. 


O 
Q 





Reauviring a loop free dependency structure allows system 
correctness to be established one module at a time. 
Modifyirg a module would only effect the modules above which 
mepena on it. 

The design choice to keep the kernel relatively small 
and put the common user services in the supervisor lends 
Deselt to sub-setting. The security kernel would not be 
Changed in any of the sub-sets ani thus would not require 
re-verification. The supervisor supported services (dynamic 
linking, discretionary security, demand memory management, 
hierarchical file system) could be removed to meet the needs 
of the svecific use of the system. This makes the sub-sets 
BEE SYSTEM suitable for tactical apalication, where there 
is generally no need for demand memory management or dynamic 
linking (static environment), as well as for general purpose 
application where all the features can be utilized. It 
snould te noted that any of these meaningful sub-sets would 
be a secure system since the kernel remains unchanged ın 
every sub-set. Sub-sets of the kernel can also be 
Ames truicted; however, this would require reverification of 


tne kernel. 
3. Levels Of Abstraction 


Pocuracuponm 25 4a Way or avoiding complexity and a 
By which a finite piece of reasoning can cover a myriad 
cases 117]. The purpose of abstracting is not to be vague, 


but to create a semantic level manach one can de 





absolutely precise, Levels of abstraction have been 
demonstrated to be a powerful design methodology for complex 
systems. In general, the use of levels of abstraction leads 
to a better design with greater clarity and fewer errors. A 
velis defined not only by the abstraction that it 
supports (for example, a segmented virtual memory) but also 
by the resources employed to realize that abstraction. Lower 
levels (closer to the machine) are not aware of the 
abstractions or resources of higher levels; higher levels 
may apply the resources of lower levels only by appealing to 
inc tios of the lower levels. This pair of restrictions 
Mmemuces the number of interactions among parts of a system 
and maxes them more explicit. 

Bach level of abstraction creates a virtual machine 
environment. Programs above some level do not need to know 
how the virtual machine of that level is implemented. For 
example, if a level of abstraction creates sequential 
processes and multiplexes one or more hardware orocessors 
among them, then at higher levels the number of ohysical 
M@mecessoOrs in the system is not important. By the rules of 
IS raction calls to a procedure at a different level must 
always be made ín a downward direction and the corresponding 
Mecurn in the upward direction. Note that at least two of 
the levels (kernel and supervisor) iefine virtual machines 
with rigidly enforced (via hardware) invokation of extended 


instruction , 1.2. the kernel and supervisor calls. 





ERP ROPOSED DESIGN 


The SYSTEM is composed of two parts, the supervisor and 
the kernel. The supervisor provides pecati = system 
services while the kernel manages physical resources. This 
As ton also contributes to the ability to sub-set without 
affecting the kernel. The supervisor, which consists of 
vrocedures, is distributed and exists within the supervisor 
domain of each user process. The zernel is made up of both 
orocedures and system processes. The procedures are vart of 
the distributed operating system and exist within tne kernel 
domain of each user process. The system processes are not 


distributed but are separate processes. 
meee Notation 


The following is an explanation of the notation used 
in the following discussions. When a CALL is used the name 
of the module is given followed by the parameters within 
parenthesis. When a nane in quotes appears as the first 
parameter in the parantheses it is used to specify the entry 
within the module. For example CALL INNER_TC(“UNLOAD”, 
SEGMENT +, WRITTEN) the module name is INNER TC, ‘UNLOAD’ 
Specifies the entry point and SEGMENT # and WRITTEN are the 
Darameters. When a SIGNAL 15 used the first name in quotes 
Specifies the process for whom the signal is intended, the 
second name in quotes (optional) specifies the specific 
function requested of that process and the remaining names 


represent parameters. For example SIGNAL\ “MEMORY MANAGER’, 


99 





“OUT”, SEGMENT #, WRITTEN) the signal is meant for the 
memory manager process, “OUT” is the requested function and 
SEGMENT # and WHITTEN are parameters. WAIT is used when a 
process cannot continue execution until it receives a signal 
meomeanmother process. WAIT(PEOCESS ID, MSG). The return 
parameters PROCESS_ID and MSG are used to indicate the 
vrocess that sent the signal and the message sent. It should 
be noted that the above notation is only used to simplify 
the understanding of what is happening. In an actual 
implementation the parameters need not be passed in 


Beeetsely this fashion. 


A System Overview > 


The following is an overview of the SYSTZM"s modules 
and processes and how they function. Fizure 2 represents the 
modules that exist in the distributed supervisor and the 
Sou ted kernel. The levels are used to indicate the 
dependencies that exist between these modules. The 
Aer visor is made up of four levels of abstraction. It 
Should be noted that all data within the supervisor is per 
process. 

The linker, a level 1 module called LINKER, exists 
in a segmented virtual memory and provides the mechanisms of 
dynamic linking. He is invoked by CALE 
MOER SYMBOLIC NAME). It should be noted that the call 
could te by link fault as 1n MULTICS(6]. The linker keeps 


track of snapped links in the linxage segment (figure 3). 
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The linker utilizes the CALL SEARCH(SIMBOLIC_NAME, 
SEGMENT_#) to obtain the segment number for unsnapped links. 

The searcher, a level 2 module called SEARCH, is 
invoked by SEARCH(SYMBOLIC NAME, SEGMENT #) and is reauired 
to return the segment number of the segment specified by the 
symbolic name. By applying the “search rules” the symbolic 
mame is converted to a path name in the hierarchical file 
system. The searcher gets the desired segment number ty the 
CALL SEG_END( PATH NAME, SEGMENT #). 

The segment handler, a level 3 module called 
SEG HND, is invoked by CALL SEG_HND( PATH NAME, SEGMENT #) 
Bes responsible for returning the appropriate segment 
number. The segment handler utilizes tne Segment Table 
(figure 4) as its data base. To maintain the data base he 
uses the CALL SEG_MGR( “MAKE KNOWN’, PAR SEG #, ENTRY #, 
ACCESS, SEGMENT #, SIZE) to the kernel to obtain a segment 
number for a segment and the CALL DISC _SEC(SEGMENT 4, 
ENTRY #4, ACCESS) to determine the authorized access 
(discretionary). The segment handler is also invoked by the 
virtual faults, SEG_END( “SEG FAULT’,  SSGMENT #) and 
SEG_END( “MEM FAULT’, SEGMENT #). The “SEG_FAULT” is a 
discretionary security access check and is handled by a CALL 
DISC SEC(SEGMENT *, ENTRY_#). The “MEM FAULT’ is a request 
to tring a segment into memory and is handled by a CALL 
MEM END(SEGMENT #, SIZE). 

The memory handler and discretionary security, level 


modules Called MEM END and ODISC_SEC respectively, are 


30 





SYMBCLIC_NAME 


Thott 
TEST2 
CHESTS 





LINKAGE SEGMENT (PER SEGMENT) 
FIGURE 3 


SEGMENT # LISC=S3E PARENT 


ACCESS SEGMENT # 





SEGMENT TABLE 


FIGURE 4 


ALLOCATED 


BASE | SIZE | SEGMENT_A 


BASE GEZE SEGMENT 2 





MEMORY MAP (LOCAL) 


FIGURE 5 


ay 





invoked ty MEM_HND(SEGMENT_#, SIZE) and DISC_SEC(SEGMENT_#, 
ENTRY #, ACCESS) respectively. The memory handler provides 
the dynamic memory management utilizing the Memory Map data 
base (figure Biles The memory handler uses the CALL 
SEG_MGR( “SWAP_IN’, SEGMENT #, BASE ADDRESS) in the kernel to 
bring a segment into memory and the CALL SEG MGR( “SWAP OUT’, 
SEGMENT #) to remove a segment. The discretionary security 
memes tne access Control lists to determine the authorized 
access of the process (discretionary). 

The distributed kernel is composed of three levels. 
The segment manager, a kernel level 1 module called SEG MGR, 
is invoked by the CALL SEG MGR(’MAKE KNOWN’, PAR SEG 4, 
ENTRY #, ACCESS, SEGMENT #), CALL SEG_MGR(“SWAP_IN’, 


SEGMENT #, BASE ADDRESS) and CALL SEG _MGR( “SWAP OUT’, 


> 


SEGMENT #). The segment manager maintains the Known Segment 
Table (figure 6) as a per process data base. The segment 
manager determines allowable access by the CALL 
NON DISC SEC(UNIQUS_ID, ACCESS) and assigns segment numbers 
the CALL INNER _TC(“ASSIGN", SEGMENT #, ACCESS). The 
segment manazer brings segments into memory by 
SIGNAL( “MEMORY MANAGER’, SINE, SEGMENT 4, UNIQUE_ID, 
BASE ADDRESS) and removes segments from memory ty 
SIGNAL( “MEMORY _MANAGER’, “OUT”, SEGMENT #). 

The non-discretionary security, a kernel level 2 
module called NON DISC S&C, is responsible for determining 
the authorized access for a given segment. Non-discretionary 


security is invoked by the CALL NON DISC SEC(UNIQUE_ID, 
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ESOS). 

The traffic controller, a kernel level 2 module 
called TRAFFIC CONT, is responsible for multiplexing user 
processes to virtual processors. The traffic controller 
utilizes the Active Process Table (figure 7) as its data 
base. traffic COntroller is invoked by the CALL 
DENEEIC_CONT( "BLOCK ‘, MSG, WAKING_ID) and GAEL 
TRAFFIC CONT( “WAKEUP’, PROC ssl De MSG). The nose 
controller uses the  SIGNAL(' MEMORY_MANAGER', LOAD; 
TIRT_MEM_MAP) and SIGNAL (“MEMORY MANAGER”, ‘UNLOAD’, 
WRIT BIT MAP) to load and unload the processes” segments in 
Bey on the virtual processors. The traffic controller 
Meecetne CALL INNER TC(°LOAD MMU°, PROCESS IG) AND CALL 
INNER TC (“UNLOAD MMU”) to load or unload the memory 
management registers of the virtual processors. The traffic 
controller uses the CALL INNER TC(’°IDLS’) to remove a 
Ba processor from contention for rescources. Actually 
the virtual processor is assigned the lowest priority 
available and the idle process is loaded. 

AO De Eat ici cOn role, “a kernel level 5 
module called INNER TC, provides the multiplexing of virtual 
processors to real processors. The inner traffic controller 
uses the Processor Table (figure 8) as its data base. 

The non-distributed kernel consists of two system 
processes. The memory manager process maintains the Active 
Segment Table (figure 9) and Global Memory Map (figure 12) 


as data bases. Basically it loads segments into memory. The 
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memory manager process is responsible for putting segments 
in local/global memory based on user’s access. 

The 1/0 manager process processes all the external 
I/O, this includes I/O to and from the user terminals. The 
terminals can be thought of as being hard wired. Specific 
terminals have specific access classes; therefore no kernel 
passwords are required to determine access class. 

The next three sections provide a detailed 


ASC uUssi10n of the design. 
mee Supervisor 


The supervisor can be invoked by the following 
external (user) calls: 

SUP_CREATE_SEGMENT(ACCESS_CLASS,SIZE) 

SUP_DELETE SEGMENT(SEGMENT 4) 

LINKER (SYMBOLIC_NAME) 

SUP BLOCK(MSG) 

SUP WAKEUP(PROCESS ID,MSG) 

Uemonan Deer OCKoo( PROCESS ID, ADDRESS SPACS) 

SUP eU is TROWSPROCESS | PRO@GuSs ID) 

a. Linker (Supervisor) 

The linker exists in a segmented virtual memory 
environment. It is only aware of Symbolic names and segment 
numbers. The choice was made to provide dynamic linking and 
not assign segment numbers to segments at compile or load 
mame, therefore there is a requirement to resolve external 


references at run time. In general it is the linker’s job to 


62 





intervene on a procedure’s external references and direct 
the reference to the appropriate segment. To accomplish this 
the linker utilizes a linkage segment (each process has a 
linkage segment). The linkage segment contains an entry for 
each segment xnown to the process. 

Bach exvernal reference results in a call to the 
linker with a parameter that on first reference permits 
finding the symbolic name of the desired segmert. 

LINKER(SYMBOLIC_NAME) The linker searches for 
tae entry corresponding to the symbolic name. If found it 
transfers to the segment number and offset specified in the 
linkage segment. If not found (first reference) it must 
first determine the segment number and offset. To Obtain the 
segment number the linker calls the searcher passing as a 
parameter the symbolic name, SEARCH(SYMBOLIC NAME, 
SEGMENT_#) The parameter returned is the segment number. The 
linker completes the entry in the linkage segment and 
transfers control to the desired segment. 

O Searcher (Supervisor) 

The searcher is aware of the hierarchical file 
system and a set of search rules. It is involxed by 
SEARCH(SYMBOLIC NAME, SEGMENT #). The searcher has the task 
of resolving a symtolic name into a path name. The searcher 
recieves as a parameter a symbolic name which is processed 
and eventually the segnent number of the symbolically named 
segment is returned. To accomplish this the searcher applies 


the ‘search rules’(6]. The search rules are a list of path 
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names and a simple technique that convert the symbolic name 
to a path name (note that this is independent of security). 
The searcher utilizes a calling directory and working 
directory [6,p.230]. Once the path name is determined the 
searcher calls the segment handler passing the path name as 
a parameter. SEG_HND(PATH_NAME, SEGMENT #) The parameter 
returned is the segment number. The searcher returns passing 
the segment number as a parameter to the linker. 
C. Segment Handler (Supervisor) 

te Seenientemantduwer understands thewaierarchical 
file system, Parent, entry number, access control lists, and 
segment numbers. The segment handler deals with virtual 
segment faults (access checks) and virtual memory faults. He 
is involked by the call S=EG_FND( PATH NAME, SEGMENT #). The 
segment handler gets assistance in performing his tasks by 
ins the following calls: MEM END(SSGMENT #, SIZ) to 
request a segment be DUT in virtual memory, 
DISC _SEC(SEGMENT #, SNTRY_#) a function to determine the 
authorized access (discretionary security) to a segment, 
SfG_MGR( “MAKS KNOWN’, PAR SEG #4, ENTRY_#, ACCESS, SEGMENT #) 
a kernel call used to determine the segment number and size 
Of the segment indicated by the parent Segment number and 
ntry number. 

The segment handler maintains a segment table 
with information that is necessary to control segments at 
the supervisor level (figure 4). The segment number is 


unique within the process. Parent segment number is the 
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segment number of the parent and entry number is the entry 
within the parent for the segment. Access is that access 
authorized by the discretionary security policy. Size is the 
memory required by the segment. The segment handler is 
required to convert path names to segment numbers as well as 
to handle virtual segment faults (Aiscretionary security 
checks) and virtual memory faults. To accomplish these tasks 
the segment handler has three entry points: SEG _HND, 
MEM FAULT and SEG FAULT. 

SEG_HND(PATH NAME, SEGMENT #) The segment 
handler receives as a parameter the path name of the desired 
segment. One of the design characteristics of the 
hierarchical file system is thet access to a segment 
requires read access to every segment on the path of the 
segment. Une by one the segments on the path rame must be 
NON Enown and the access established. To do this a 
recursive aleorithm can be utilized that will process each 
entry within the path name until the path name is resolved. 
The segment number assigned to the desired segment is 
returned. 

SEG _END(°MEM FAULT’, SEGMENT #) A virtual memory 
fault is utilized to support the dynamic memory management 
outside the kernel. When a segment that is not in memory is 
referenced a virtual memory fault (hardware initiated, the 
kernel provides the software interpretation of the fault and 
provides a transfer vector to the supervisor) is zenerated 


to the segment handler. The segment handler uses the Segment 
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Table to determine the SEGMENT # and the SIZE of the 
segment. The memory handler is called, MEM_HND(SEGMENT #, 
SIZE). 

SEG_AND( "SEG_FAULT’, SEGMENT_#) A virtual 
Seement fault is used to tell the supervisor that the ACL 
for the segment referenced has been changed since the last 
time the segment had been referenced. The segment handler 
must re-establish the discretionary security. This is done 
by checking the Segment Table for the parent’s segment 
number and eot tye number cdliling DISC SEC(SEGMENT #, 
ENTRY_#, ACCESS), check the new access, update the Segment 
Table and return. 

d. Memory Handler (Supervisor) 

It is the job of the memory handler to provide 
the dynamic memory management within a fixed size linear 
virtual memory. The memory handler utilizes two kernel calls 
"SWAP_IN’ and “SWAP OUT’ to perform his tasks. 
SEG _MGR(°SWAP_IN”, SEGMENT_#, BASE ADDRESS) is used to 
request that a segment de brought into memory. 
SEG _MGR( “SWAP OUT’, SEGMENT #) is used to remove a segment 
Snom memory. 

The memory handler is tasked by the segment 
handler to put a segment into memory and provided with the 
SEGMENT # and SIZE of this Segment. The data base utilized 
is a Memory Map (figure 5) which indicates free areas and 
allocated areas. Each process has a memory map which is used 


joe Keep track of the virtual memory allocated to the 
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process. 

TO provide the demand memory management there 
are many suitable algorithms[16,p.155]. First fit, best fit 
and worst fit are among the possible choices for allocating 
free areas. A least recently used algorithm is generally 
used for deallocating memory. The used bit is available to 
provide information to the dealocation scheme. The CALL 
INNER TC(°GET USED BITS’, USED BITS) returns an array of the 
Status of all the used Pits: The CALL 
INNER_TC(“SET_USED_BITS”, USED_BITS) provides an array of 
the desired value of the used bits. This provides the 
mechanism for an approximating efficient Least Recently Used 
algorithm for dealocation(16]. Allocated areas (figure 5) 
are identified by (SEGMENT #, BASE ADDRESS, SIZE). When 
tasxed, the memory handler searches for a free area large 
enough for the segment. [f there is no free area large 
enough, the memory handler must tirio the. CALL 
SEG MGR( “SWAP OUT’, SEGMENT #) to establish a large enough 
free area. The memory map is updated and the CALL 
SEG MGR( “SWAP IN’, SEGMENT #, BASE ADDRESS) is generated. 
The memory map is updated and the memory handler returns. 

e. Discretionary Security (Supervisor) 

This module is only aware of access control 
lists (figure 11) and how to searck one to determine the 
access to be given the current process. The input varameter 
is the segment number (of the directory) and entry number of 


the ACL for the desired segment. The discretionary security 


on 





menes the ACL for the PROCESS ID of tne calling process 


and thereby determines the access, which is returned. 
4. Distributed Kernel 


There is a gate mechanism (domain change) through 
Mich call kernel and supervisor calls pass. Checks are made 
to determine proper (complete) parameters and the call is 
directed to the PCO DET module. The kernel is the 
“priviledged mode” and can execute priviledged instructions. 
Calls coming from outside the kernel are: 

MAKE_KNOWN(PAR-SEG_#, ENTRY_#, ACCESS, SEGMENT _#) 

SWAP IN(SEGMENT #, BASE ADDRESS) 

SWAP OUT(SEGMENT #4) 

SET SEG FAULT(SEGMENT 4) 

BLOCK (MSG,WAKING ID) 

WAKEUP(PROCESS ID, MSG) 

CREATE PROCESS(PROCESS ID, ADDRESS SPACE) 

START PROGESS(PROCESS ID, EXECUTION POINT) 

STOP PPROCESS( PROCESS ID) 

BESTRON PROCESS (PROCESS ID) 

CREATE SEGMENT(PAR SEG _#, ENTRY #, ACCESS CLASS, 
SIZE) 

DELETE SEGMENT(UNIQUE_ID) 

INNER TC( “GET USED BITS’, USED_BITS) 

NERD SEP USED BITS”, USSD BITS) 

a. Segment Manager (Kernel) 


The segment manager’s environment is a segmented 
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physical memory. The segment manager assigns Segment numbers 
and is responsible for maintaining the status of all 
segments known to a process. The segment manager’s primary 
data base is the Known Segment Table (KST) (figure 6). The 
unique [D is a unique, system wide identifier assigned to 
each segment. They are assigned from an available list of 
integers (can be reused when a Segment is deleted). Each 
segment also has an alias that is the uniaque ID of and the 
entry number in its parent. This provides a means of 
Sees nine the unique ID of a segment from the segment 
number of and entry number in the parent. 

It should be noted that the reason for the alias is 
to prevent the unique ID from leaving the kernel. The alias 
eeeeen is derivable from information known to the 
Supervisor, because it relates to the hierarchical file 
system. This information is per process and not system wide 
Nature. Although the hierarchical structure of the file 
system can be derived from the kernel’s alias data base, the 
contention is that the file system in the xernel is a flat 
one. This method also eliminates the confinement problem. 
The kernel only requires that the access class of a segment, 
when created must be at or above the access class of the 
mmocess creating the segment. 

The segment manager can be involked by several 
calls: 

SEG _MGR( “MAKE KNCWN’, PAR_SEG_#, ENTRY #4, NCCHSS:, 
SEGMENT #) 
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SEG_MGR( “SET SEG FAULT’, SEGMENT #) 

SEG_MGR(“SWAP_IN“’, SEGMENT 4, BASE ADDRESS) 

SEG_MGR( “SWAP OUT’, SEGMENT #) 

The CALL SEG_MGR(°MAKE KNOWN’, PAR_SEG #, 
ENTRY #, ACCESS, SEGMENT #). The task is to assign a segment 
number to the segment specified. PAR SEG # and ENTRY + are 
the segment number of the parent directory and the entry 
within that directory. The parent segment number is used to 
Bene the unique _ 1D of the parent from the KST and this 
combined with the entry number forms an alias for the 
desired segment. The segment manager searches the KST to 
determine if the segment has already been assigned a segment 
number {already known). If this is the case the segment 
number already assigned is returned. If the segment is not 
known then a XST entry must be made. The procedure is as 
follows: use the PAR_SEG_# and the XST to determine the 
unique_1D of the parent. Combine the uniaue ID of the parent 
and the entry number to derive the alias of the segment. Use 
Mas to determine the unique ID of the desired segment 
from the alias table (figure L2). CALL 
NON_DISC_SEC(UNIQUE_ID, ACCESS) to determine the authorized 
access. The access granted is the desired access or the 
authorized access, whichever is less. Assign a segment 
number. dd in Aa ORBE ADD SEC, 
SEGMENT #, ACCESS). Return assigned segment number. 
The CALL SEG_MGR(’°SET SEG FAULT’, SEGMENT #). 


This call is used when the access control list for a segment 


72 





MES IS 





ACL 
“OCONNELL (ALL ACCESS), RICHARDSON “(ALL ACCESS) 
“JONES “(READ ACCESS), “ALL OTHERS (NO ACCESS) 


ACCESS CONTROL LIST 
FIGURE 11 


UNIQUE ID (PARENT (ENTRY #) 


UNIQUE_ID) 





ALIAS TABLE 


FIGURE 12 


MACHINE REGISTERS 


SOFTWARZ ACCESS RELATIVE 


FAULTS l BASE ADDRESS 





LOC_EX STATS 





is changed. The segment manager determines the unique ID of 
the segment specified and does a SIGNAL{°MEMORY MANAGER’, 
‘SET SEG FAULT’, UNIQUE_ID). 

The CALL SEG_MGR( “SWAP_IN', SEGMENT 4, 
BASE_ADDRESS). A request to load the specified segment into 
memory at the indicated base address (relative). The segment 
manager locates the appropriate KST entry and does a 
SIGNAL( “MEMORY MANAGER’, INS, SEGMENT_#, UNIQUE_ID, 
ER BEADDR2ESS) and a WAIT{(PRCCESS ID, 4BS_ ADD, BOUND). The 
memory manager process loads the segment in memory and 
Bauens the absolute address and bound of the segment. The 
segment manager notifies the inner traffic controller of the 
update in segment information CALL INNER TC('“LOAD', 
SEGMENT #, ABS ADD, BOUND). The segment manager returns. 

The CALL SEG_MGR( "SWAP _ OUT’, SEGMENT #). The 
segment manager is tasked with removing the segment from 
memory. He does a CALL INNER TC( UNLOAD’, SSGMENT 4, 
WRITTEN) to obtain the value of the written bit and then to 


unload the segment from memory a SIGNAL( “MEMORY MANAG 


tj 


R’, 
“OUT”, SEGMENT_#, WRITTEN), WAIT( “MEMORY MANAGER”) and then 
BELUrNS. 
b. Non-Discretionary Security (Kernel) 

messuppase rorzrheznon=äTseretionary seceurity is 
Bosenforce the non-discretionary security policy by checking 
the access class of the process against the access class of 
the desired segment. The access is determined as a result of 


mers comparison. The non-discretionary security module is 
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invoked by the CALL NON_DISC_SEC(UNIQUE_ID). An algorithm is 
used for interpreting the lattice for comparing the access 
Seasses and determining the AU ed access. The 
fomeawiscretionary security module returns passing the 
access. 

m Treffic Controller (Kernel) 

The job of the traffic controller 1s to schedule 
cOn trol processes. The traffic controller utilizes an 
Active Process Table (system wide) (figure 7) and a Virtual 
Processor Table (figure 8) to maintain the necessary 
information about each process. Each virtual vrocessor has a 
Mememity (this priority is used by the inner traffic 
controller when the virtual processors are multiplered on 
the physical processors). PROCESS ID is a unique identifier 
for each process, which can be mapped to the user. STATE 
refers to the present state of a process (ready, block, 
stop, run). AFFINITY is used to specify a binding of a 
process tO a virtual processor either by virtue of 
dissimilar processor characteristics (strong) or the process 
has segments in local memory of a processor (weak). PRIORITY 
is used to determine a scheduling behavior. LOC EX STATE 
provides the means for keeping tracx of the execution state 
of the process and is a pointer to a storage area that 
contains information about the execution state (figure 13). 

The traffic controller schedules the processes 
paran on virtual processors. There is a virtual processor 


for every loaded process. Hach virtual processor has a low 
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priority process (IDLE) so that the processor is never 
stopped. The traffic controller provides the BLOCK and 
WAKEUP functions as a means of providing inter-process 
communication.. 

Tmewertrarfie controller would have a priority 
driven scheduling algorithm to determine what process to 
Schedule. This could be a Simple first come first served 
wori tam Or it conld be a complex time sharing algorithm to 
dynamically change process priority. The method utilized in 
nesis 15 that the traffic controller works on the 
premise of scheduling the ready process with the highest 
EMO EP 11y and the proper affinity whenever a virtual 
processor 15 available. 

Whenever a process blocks itself it is in fact a 
Bro the traffic controller. The traffic controller 
changes the state of the process to blocked, The traffic 
controller now has the option of reassigning the virtual 
processor to another user process or scheduling the idle 
process (CALL INNER TC( “IDLE”)). In the latter case there is 
no loading or unloading of the process involved and this can 
be beneficial to control thrashing. Since there are other 
Virtual processors competing for the processor the traffic 
controller scheduling algorithm will try to leave the 
process loaded. When the process is put back in the run 
state it will be in contention for the processor. [f another 
process is to be assigned to the virtual processor then the 


Old process must be unloaded. First the status of the 
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written bits are determined (CALL INNER_TC(“WRITTEN_BITS“)). 
The execution state of the old process is unloaded (CALL 
INNER_TC(“UNLOAD_MMU', PROCESS_ID, LOCREX STHDR) ). 
SIGNAL( “MEMORY MANAGER’, ‘UNLOAD’, WRIT BIT MA?) and 
WAIT(“MEMORY_MANAGER’, VIRT_MEM_MAP) are generated, the 
virtual memory map of the process is returned by the manager 
process process. The execution state and the virtual memory 
map of the old process are saved. Now the new process can be 
loaded. The virtual memory map of the new process is passed 
to the memory manager process, a SIGNAL( “MEMORY MANAGER’, 
OaD, VIRT MEM MAP) and WAIT( “MEMORY MANAGER’, 
ABS ADD MAP) are generated. A map indicating the absolute 
address of the loaded segments is returned by the memory 
manager process. The execution state of the new process is 
Poaded (CALL INNER TC(°LOAD’, LOC_SX_STATE, ABS _ADD MAP)). 
This completes the process of switching user processes on a 
virtual processor. 

The TRAFFIC_CONT( "WAKZUP”", PFOCESS_ID) is also 
meet. to the traffic controller. If the process specified 
NE ROGESS ID is in tne blocked state the traffic controller 
puts that process in the ready state, he checks the 
priorities of the running processes and if there is a lower 
priority process in the run state the virtual processor it 
moeerunning on is sent a pre-empt interupt CALL 
INNER TC(°PRE EMPT INT’,  VIRT PRO ID) and the traffic 
eemtroller returns. The pre-empt interupt forces the 


pre-emoted virtual processor to transfer control to the 
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Be controller. The traffic controller puts this process 
in the ready state ard then schedules the highest priority 
mmg@eess, subject to affinity, as indicated above. If the 
idle process was running on the virtual processor and if the 
process loaded in that virtual processor is in the ready 
State it could be assigned the virtual processor by the CALL 
INNER_TC(°UNIDLE”, VIR_PRO_ID). This has the effect of 
unloading the idle process and loading the process that was 
previously loaded. It should be noted that except for the 
special case of the idle process, switching processes is 
Me tny and, if done too frequently, could lead to thrashing 
problems. 

Thesm trari cC contro Feria cani be invoxed by the 
Bee: STOP PROCESS”, "CREATE_PROCESS”, ‘START PROCESS’, 
E DIES TROY PROCESS”. 

“CREATE PROCESS”,  PARAMETER_LIST is used to 
begin a new process. An entry for the process is made in the 
active process table. 

“STOP PROCESS’ is used to put a process in the 
STOPPED STATE and the process is removed from the active 
process table and put in the stopped process table (SPT). 
The SPT is similar to the APT but it is referenced 
infrequently. 

“START PROCESS” is used to move a process from 
the stopped process table (STP) to the active process table 
and also from the stopped state to the ready state. 


“DESTROY PROCESS” is used to terminate the life 
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See precess. The process is removed from the APT or SPT and 
the memory Manager process is signaled to disconnect the 
process from any connected Segments. 

inner Traffic Controller (Kernel) 

The innere traffic controller multiplexes the 
virtual processors with the physical processors[18]. There 
is a many to one correspondence from the virtual processors 
Beer traffic controller to the physical processors. In 
addition there are the virtual processors assigned the 
system processes. The inner traffic controller uses the data 
base shown in figure 14. He is also responsible for the 
mapping registers (hardware segment descriptors) which 
Atala the information shown in figure 15. Each physical 
processor has only specific virtual processors that can be 
multiplexed on it. Zach virtual processor has a priority and 
a state (running, ready and wait). The inner traffic 
Controller allows the virtual processor with the highest 
Merority ir the ready state to run on the processor. The 
wait pending bit[{3,0.30] is used to avoid a race condition 
between the signal and wait primitives. The inner traffic 
controller is able to Swap the virtual processors in and out 
of the processors by loading and unloading the appropriate 
execution state and mapping registers. 

The inner traffic Controller provides 
inner-process as well as intra-vrocess services. He is 
invoked uy a number of calls reauesting information 


contained in the mapping registers or providing information 
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to update the mapping registers. To supplement the hardware 
fault within the memory management registers the inner 
MENO” controller maintains a set of software faults for 
each segment (segment fault, memory fault). This allows the 
inner traffic controller to interpret the hardware fault and 
Zenerate ar appropriate virtual fault. 

INNER TC(°ASSIGN’, SEGMENT #, ACCESS) - a new 
segment number has been assigned with the indicated access. 
Load the approcriate register with the access, set the fault 
bit and the software memory fault. 

INNER TC(°LOAD’, SEGMENT #, ABS_ADD, BOUND) - a 
segment has been loaded into memory, load the appropriate 
addresses in the mapping register and reset the memory 
software fault and fault bit if appropriate. 

INNER TC(°UNLOAD’, SEGMENT 4, WRITTEN) - the 
segment is being removed from memory, set the memory 
software fauit and the fault bit and return the value of the 
wetten bit. 

INNER - TC MERITTEN BITS ,- BITS) = an array 
reflectine tre value of the written bits is returned. 

INNER_TC(“GET USED BITS”, USED BITS) - an array 
reflecting the value of the used bits ís returned. 

NERETI SETRUSEDEN sun ars) = an array 
is received reflecting the desired value of the used bits. 
Mme inner traffic controller sets the used bits to the 
desired values. The hypothesized hardware used bits are also 


set by hardware whenever a segment is referenced. 
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INNER TC(°LOAD MMU’, LOC_EX_STATE, ABS_ADD_MAP) 
~ a request to load a virtual processor with a new process 
and create the memory management unit registers. 

INNER_TC(“UNLOAD_MMU”, LOC_EX_STATE) — a request 
to unload a virtual processor and save the execution state 
in the indicated location. 

INNER_TC(“SET_SEG_FAULT”, PROCESS ID, SEGMENT #) 
- a request to Set the software segment fault in the data 
base (figure 14). 

INNER_TC(“IDLE") - a request to load the idle 
process and reduce the priority of the virtual processor to 
the lowest possible. 

INNER_TC(“PRE_EMPT_INT', VIRT_PRO_ID) = a 
request to generate a virtual pre _empt interupt to the 
Mica ted virtual processor. The inner traffic controller 
determines which physical processor the virtual processor is 
in and sends an appropriate hardware interruvt to that 
Mc essor. If the virtual processor is in the wait state the 
Serut is held pending until the virtual processor is put 
in the ready state. 

INNER_TC(“UNIDLE”, TIRT PRO ID) - a request to 
unload the idle process, reinstate the loaded process and 
restore the priority of the virtual processor. 

The inner traffic controller is also invoked by 
the siznal and wait. Signal and wait pvrovide the 
synchronization between the system processes and the user 


processes. The inner traffic controller utilizes the signal 
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at Primitives to change the state of the virtual 
processors and thereby control the multiplexing of the 
mel processors to the real processors, based on their 


poolo ties. 
e Non-Distributed Kernel 


The non-đistributed kernel consists of the system 
processes. These processes have the characteristic that they 
function asynchronous to each user process. The system 
processes, as they are called, can reside in the local 
memory of each processor but their shared data bases will 
reside in global memory. 

a. Memory Manager (System Process) 

The memory manager process utilizes the Active 
Segment Table (figure 9) as a data base. The portion of the 
AST that contains system wide information will reside in 
2zlobal memory. The portion of the AST that only relates to a 
single processor can be distributed and will reside in local 
memory. 

The memory manager vrocess is responsible for 
two basic tasks: reauests to brine segments into memory and 
requests to remove segments from memory. Other processes 
task him by use of the signal and wait primitives. The 
memory manager process has four tasks (entries): IN, OUT, 
LOAD, and UNLOAD. The IN and OUT are recuests to load and 
remove a Single segment. The LOAD and UNLOAD are requests to 


load and unload a number of segments. 
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The task to load a segment requires several 
considerations. Is the segment currently active (AST entry)? 
If it is, is it presently residinz in global memory? If it 
is not in global memory does the access of the added process 
require that it be moved to global memory? How to alert the 
processes with copies? The AST provides all the necessary 
answers to render the proper decision as to where to load 
the segment. 

A this time a better toon at the AST is called 
for. It should be noted that every segment that presently 
resides in memory is active and its address can be 
determined from the AST. The virtual processor that it is in 
can also be determined as well as the segment number by 
Mie it 15 known within that virtual processor. 

hen a segment must be loaded into global memory 
(based on user access) there is a need to notify processors 
Maur a copy, of the segment, of the segments relocation. 
After the segment has been loaded in global memory, the 
memory manager process, tasked to load the segment, can 
determine form the AST ir which processors the segment is 
presently loaded. These processors are sent 
SIGNAL( “MEMORY MANAGER’, “MOVE”, UNIQUE_ID, ABS_ADD) where 
ABS ADR is the global address of the segment. Zach memory 
manager process that receives the signal( “move’) will check 
his local AST to determine which processes have the segment 
loaded and the segment number assigned and then CALL 


INNER TC( ‘CHANGE ADD’, PROCESS ID, SEGMENT #, ABS_ADD) for 


Ez 





each process that has the segment in local memory. The inner 
traffic controller will update the mapping register to 
reflect the new absolute address. 

If a user requests access, and another user 
already has write access, there is a need to get the current 
Copy moved to global memory. In this case the memory manager 
process attempting to load the segment must 
SIGNAL( “MEMORY MANAGER’, Cate UNIQUE ID) and 
MeeeeerhOGESS 1D, MSG). The processor with the current cony 
of the segment was determined from the AST. The memory 
IS process with the current copy, after receiving the 
signal(l move it’), will relocate the segment in global 
memory, CALL  INNER_TC(“CHANGE_ADD”, PROCESS ID, SEGMENT #, 
ABS ADD) and SIGNAL( “MEMORY MANAGER’, “MCVED’, UNIQUE_ID, 
MES TADD). It should be noted that there is some 
synchronization required between the memory manager process 
and the inner traffic controller to insure the segment had 
not been written in during the time it took to move it and 
change the address. 

AS segments are loaded and unloaded the AST is 
updated appropriately. When a segment iS removed from memory 
if it nas been written in the segment is copied back to 
ondary storage. 

The AST also provides a method of notifying 
processes of segment faults. If the memory manager process 
(for each processor connected with a loaded connected 


process) is notified when the access control list for a 
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segment is changed by SIGNAL(“MEMORY_MANAGER', 
“SET_SEG FAULT’, UNIQUE ID) then every loaded connected 
process can be notified by CALL INNER TC( “SET SEG FAULT’, 
PROCESS_ID, SEGMENT #). For processes that are not loaded, 
Met Traffic controller is Similarly called to set the 
software segment fault (figure 13). This means that the 
software segment fault will have to be set for connected 
processes when a segment is removed from the AST. 
b. I/O Manager 

The I/C manager is responsible for the external 
I/O. There could be more than one I/O manager process, 
conceivably one for each external device; corresponding 
kernel calls must be provided. For example tnere could be an 
I/O manager that handles all the external I/O to and from 
the user terminals. It is sufficent, at this point, to say 


that the I/O manager exists and handles external I/C. 
Follow On Work 


It should be re-emphasized that this is a design 
and not an implementation. Although the detail is left for 
further work, the design proposed forms a substantial basis 
upon which an implementation can be realized. The system 
process structure is provided for in the design; however, 
the system processes have been treated lightly and require 
additional work. The user interface (supervisor calls) 
presented is by no means an exhaustive list and could use 


further extension for additional supervisor services. 





IV. CONCLUSION 


The state of the art techniques and design methodolozy 
used to design secure operating system for multiple mini and 
maxi processors have been found applicable to the multiple 
wapo cessor environment. The principal conclusion is that 
tae operating System design in this thesis will make it 
possible to more effectively use modern microprocessors than 
nas been possible in the past. 

One question that is addressed concerns the operating 
system’s ability to scale. Systems now available can support 
mere Or five microprocessors. Increasing that number of 
Microprocessors quickly brings serious degradation because 
of the increased bus contention. The expected scaling factor 
is much better for this design. The bus contention has been 
significantly reduced -— segmentation permits effectively 
Meine local memory instead of global memory. 

This design supports a family of operating systems, not 
Bone designed for a specific application. Sub-sets of 
this system can be constructed to provide the desired 
mumetiLons because the design used a loop free structure. 
Included family members range from a core resident tactical 
System to a virtual memory time sharing system. 

Configuration independence is supported in this design. 
meee or Many physical processors can be added or subtracted 


from the system without affecting the workability of the 
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system. Similarly memory can be added or subtracted. 

Security has been designed into this System. It was not 
added on as an afterthought. This design used a security 
kernel based upon a mathematical model to insure the 
security. A secure multilevel environment is provided by 
this system. 

Commercial devices will soon be widely available to 
implement this operating system. The Zilog 278000 series, 
microprocessor, for example will provide the segmentation 
and multiple domains necessary for an effective syStem. The 
present data tuses are compatible and when used with this 
operating system allow a significant number of processors to 


be effectively used. 
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